# krb5conf v2_7 with afs on node garibaldi.fnal.gov automatic update 27Aug2007
# V2.1	Added capaths section with transitive trusts, removed
#	checksum_type from libdefaults
# V2.1a	Added domain definitions for the Windows realms
# V2.2	Added units (m=minutes) to ticket_lifetime in [libdefaults],
#	added e898 AFS remapping to [instancemapping] section and
#	removed old pam definitions from [appdefaults] section which
#	just had a forwardable=true statement
# V2.3	Removed krb4_convert_524 statement from pam settings in
#	[appdefaults] section to speed up logins
# V2.4	Added CERN definitions to [realms] section
# V2.5	Changed in [libdetaults], copied some items from [appdefaults]
#	so library finds them, set credentials cache type to 4 and
#	removed the default_*_enctypes.
# V2.6	Added missing ":88" to the admin_server definitions
# V2.7	Removed the 2.6 change, and re-enabled the default_*_enctypes
#	in [libdefauls] as these are needed to make Cryptocards work for now
#
###
### This krb5.conf template is intended for use with Fermi
### Kerberos v1_2 and later.  Earlier versions may choke on the 
### "auth_to_local = " lines unless they are commented out.
### The installation process should do all the right things in
### any case, but if you are reading this and haven't updated
### your kerberos product to v1_2 or later, you really should!
###
[libdefaults]
	ticket_lifetime = 1560m
	default_realm = FNAL.GOV
	ccache_type = 4
	default_tgs_enCtypes = des-cbc-crc
	default_tkt_enctypes = des-cbc-crc
	default_lifetime = 7d
	renew_lifetime = 7d
	autologin = true
	forward = true
	forwardable = true
	renewable = true
	encrypt = true

[realms]
	FNAL.GOV = {
		kdc = krb-fnal-1.fnal.gov:88
		kdc = krb-fnal-2.fnal.gov:88
		kdc = krb-fnal-3.fnal.gov:88
		kdc = krb-fnal-4.fnal.gov:88
		kdc = krb-fnal-5.fnal.gov:88
		kdc = krb-fnal-6.fnal.gov:88
		kdc = krb-fnal-7.fnal.gov:88
		master_kdc = krb-fnal-admin.fnal.gov:88
		admin_server = krb-fnal-admin.fnal.gov
		default_domain = fnal.gov
	}
	WIN.FNAL.GOV = {
		kdc = littlebird.win.fnal.gov:88
		kdc = bigbird.win.fnal.gov:88
		default_domain = fnal.gov
	}
	FERMI.WIN.FNAL.GOV = {
		kdc = sully.fermi.win.fnal.gov:88
		kdc = elmo.fermi.win.fnal.gov:88
		kdc = grover.fermi.win.fnal.gov:88
		kdc = oscar.fermi.win.fnal.gov:88
		kdc = cookie.fermi.win.fnal.gov:88
		kdc = herry.fermi.win.fnal.gov:88
		default_domain = fnal.gov
	}
	UCHICAGO.EDU = {
		kdc = kerberos-0.uchicago.edu
		kdc = kerberos-1.uchicago.edu
		kdc = kerberos-2.uchicago.edu
		admin_server = kerberos.uchicago.edu
		default_domain = uchicago.edu
	}
	PILOT.FNAL.GOV = {
		kdc = i-krb-2.fnal.gov:88
		master_kdc = i-krb-2.fnal.gov:88
		admin_server = i-krb-2.fnal.gov
		default_domain = fnal.gov
        }
	WINBETA.FNAL.GOV = {
		kdc = wbdc1.winbeta.fnal.gov:88
		kdc = wbdc2.winbeta.fnal.gov:88
		default_domain = fnal.gov
	}
	FERMIBETA.WINBETA.FNAL.GOV = {
		kdc = fbdc1.fermibeta.winbeta.fnal.gov:88
		kdc = fbdc2.fermibeta.winbeta.fnal.gov:88
		default_domain = fnal.gov
	}
	CERN.CH = {
		kdc = afsdb2.cern.ch
		kdc = afsdb3.cern.ch
		kdc = afsdb1.cern.ch
		default_domain = cern.ch
		kpasswd_server = afskrb5m.cern.ch
		admin_server = afskrb5m.cern.ch
		v4_name_convert = {
			host = {
				rcmd = host
			}
		}
	}


[instancemapping]
	afs = {
		cron/* = ""
		cms/* = ""
		afs/* = ""
		e898/* = ""
	}

[capaths]

# FNAL.GOV and PILOT.FNAL.GOV are the MIT Kerberos Domains
# FNAL.GOV is production and PILOT is for testing
# The FERMI Windows domain uses the WIN.FNAL.GOV root realm
# with the FERMI.WIN.FNAL.GOV sub-realm where machines and users
# reside.  The WINBETA and FERMIBETA domains are the equivalent
# testing realms for the FERMIBETA domain.  The 2-way transitive
# trust structure of this complex is as follows:
#
# FNAL.GOV <=> PILOT.FNAL.GOV
# FNAL.GOV <=> WIN.FERMI.GOV <=> FERMI.WIN.FERMI.GOV
# PILOT.FNAL.GOV <=> WINBETA.FNAL.GOV <=> FERMIBETA.WINBETA.FNAL.GOV

FNAL.GOV = {
	PILOT.FNAL.GOV = .
	FERMI.WIN.FNAL.GOV = WIN.FNAL.GOV
	WIN.FNAL.GOV = .
	FERMIBETA.WINBETA.FNAL.GOV = WINBETA.FNAL.GOV
	WINBETA.FNAL.GOV = PILOT.FNAL.GOV
}
PILOT.FNAL.GOV = {
	FNAL.GOV = .
	FERMI.WIN.FNAL.GOV = WIN.FNAL.GOV
	WIN.FNAL.GOV = FNAL.GOV
	FERMIBETA.WINBETA.FNAL.GOV = WINBETA.FNAL.GOV
	WINBETA.FNAL.GOV = .
}
WIN.FNAL.GOV = {
	FNAL.GOV = .
	PILOT.FNAL.GOV = FNAL.GOV
	FERMI.WIN.FNAL.GOV = .
	FERMIBETA.WINBETA.FNAL.GOV = WINBETA.FNAL.GOV
	WINBETA.FNAL.GOV = PILOT.FNAL.GOV
}
WINBETA.FNAL.GOV = {
	PILOT.FNAL.GOV = .
	FERMIBETA.WINBETA.FNAL.GOV = .
	FNAL.GOV = PILOT.FNAL.GOV
	FERMI.WIN.FNAL.GOV = WIN.FNAL.GOV
	WIN.FNAL.GOV = PILOT.FNAL.GOV
}

[logging]
	kdc = SYSLOG:info:local1
	admin_server = SYSLOG:info:local2
	default = SYSLOG:err:auth

[domain_realm]
# Fermilab's (non-windows-centric) domains
	.fnal.gov = FNAL.GOV
	.cdms-soudan.org = FNAL.GOV
	.deemz.net = FNAL.GOV
	.dhcp.fnal.gov = FNAL.GOV
	.minos-soudan.org = FNAL.GOV
	i-krb-2.fnal.gov = PILOT.FNAL.GOV
	.win.fnal.gov = WIN.FNAL.GOV
	.fermi.win.fnal.gov = FERMI.WIN.FNAL.GOV
	.winbeta.fnal.gov = WINBETA.FNAL.GOV
	.fermibeta.winbeta.fnal.gov = FERMIBETA.WINBETA.FNAL.GOV
# Friends and family (by request)
	.cs.ttu.edu = FNAL.GOV
	.geol.uniovi.es = FNAL.GOV
	.harvard.edu = FNAL.GOV
	.hpcc.ttu.edu = FNAL.GOV
	.infn.it = FNAL.GOV
	.knu.ac.kr  = FNAL.GOV
	.lns.mit.edu = FNAL.GOV
	.ph.liv.ac.uk = FNAL.GOV
	.pha.jhu.edu = FNAL.GOV
	.phys.ttu.edu = FNAL.GOV
	.phys.ualberta.ca = FNAL.GOV
	.physics.lsa.umich.edu = FNAL.GOV
	.physics.ucla.edu = FNAL.GOV
	.physics.ucsb.edu = FNAL.GOV
	.physics.utoronto.ca = FNAL.GOV
	.rl.ac.uk = FNAL.GOV
	.rockefeller.edu = FNAL.GOV
	.rutgers.edu = FNAL.GOV
	.sdsc.edu = FNAL.GOV
	.sinica.edu.tw = FNAL.GOV
	.tsukuba.jp.hep.net = FNAL.GOV
	.ucsd.edu = FNAL.GOV
	.unl.edu = FNAL.GOV
	.in2p3.fr = FNAL.GOV
	.wisc.edu = FNAL.GOV
	.pic.org.es = FNAL.GOV

# The whole "top half" is replaced during "ups installAsRoot krb5conf", so:
# It would probably be a bad idea to change anything on or above this line

# If you need to add any .domains or hosts, put them here
[domain_realm]
	mojo.lunet.edu = FNAL.GOV

[appdefaults]
	default_lifetime = 7d
	retain_ccache = false
	autologin = true
	forward = true
	forwardable = true
	renewable = true
	encrypt = true
	krb5_aklog_path = /usr/krb5/bin/aklog

	telnet = {
	}

	rcp = {
		forward = true
		encrypt = false
		allow_fallback = true
	}

	rsh = {
		allow_fallback = true
	}

	rlogin = {
		allow_fallback = false
	}


	login = {
		forwardable = true
		krb5_run_aklog = true
		krb5_get_tickets = true
		krb4_get_tickets = false
		krb4_convert = false
	}

	kinit = {
		forwardable = true
		krb5_run_aklog = true
	}

	rshd = {
		krb5_run_aklog = true
	}

	ftpd = {
		krb5_run_aklog = true
		default_lifetime = 10h
	}

	pam = {
		debug = false
		forwardable = true
		renew_lifetime = 7d
		ticket_lifetime = 1560m	
#		krb4_get_tickets = false
		krb4_convert = true
		afs_cells = fnal.gov
		ignore_afs = true
		krb5_run_aklog = true
	}